Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
991
Views
0
Helpful
7
Replies

8x7 Config improvements

ramtech.computing
Level 1
Level 1

‎06-20-2011 09:03 PM - edited ‎03-04-2019 12:46 PM

Hi Again,

After some very consructive comments by Paolo I was wondering if anyone would like to share any  comments on how to improve the performance of my routers.  Below is a typical config I use for 857 and 877 routers i deploy.  I realise it isn't even close to perfect.  But, me being a creature of habit, I have never got around to figuring out why some of the config is slowing the router down so much.  So...

  • I wish to improve overall router performance
  • I wish to maintain a reasonable level of protect from the outside world
  • I haven't yet learned how to get rid of the ip inspection.  When I just remove the ip inspect name lines and the ip inspect Inspect_Out out from the di0 int it stops all traffic flow.  even after a reload.  why is that?
  • Paolo mentioned getting rid of the class map.  Presumably he means the Internet_Inbound ACL.  How do i protect the router from the internet if I ditch that?
  • He also mentioned getting rid of the firewall.  Is this just the Inspection firewall or do i have something else in place I am not even aware of
  • I have also never figured out how to publish an ftp server through the NAT.  Just putting an "permit tcp any any eq 21" in the inbound ACL and "ip nat source static tcp 192.168.x.x 21 interface dialer0 21" doesn't work.  I allows the connection but no data flow.  So again.  i don't know what I am doing wrong.

I greatly appreciate all comments and help.

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime

service timestamps log datetime localtime

service password-encryption

service sequence-numbers

no service dhcp

!

hostname Users857w

!

boot-start-marker

boot-end-marker

!

logging count

logging userinfo

logging buffered 52000

!

aaa new-model

!

!

aaa authentication login default local

aaa authorization exec default local

!

!

aaa session-id common

clock timezone ESTime 10

clock save interval 8

!

crypto pki trustpoint TP-self-signed-1114035

---Snip---

!

crypto pki certificate chain TP-self-signed-1114035

----Snip----

      quit

dot11 syslog

!

dot11 ssid XXXXgoona

   authentication open

   authentication key-management wpa

   guest-mode

   wpa-psk ascii 7 xxxx

!

no ip source-route

!

!

ip cef

ip inspect name Inspect_Out dns

ip inspect name Inspect_Out ftp

ip inspect name Inspect_Out pptp

ip inspect name Inspect_Out https

ip inspect name Inspect_Out imap

ip inspect name Inspect_Out pop3

ip inspect name Inspect_Out rcmd

ip inspect name Inspect_Out realaudio

ip inspect name Inspect_Out esmtp

ip inspect name Inspect_Out tftp

ip inspect name Inspect_Out tcp router-traffic

ip inspect name Inspect_Out udp router-traffic

ip inspect name Inspect_Out icmp router-traffic

no ip bootp server

ip domain name XXXXgoona.local

ip name-server 139.130.4.4

ip name-server 203.50.2.71

login block-for 300 attempts 4 within 60

login delay 7

login quiet-mode access-class Allow_Quiet_Mode

login on-failure log

login on-success log

!

username theuser privilege 15 secret 5 $1$cd4O$lA8

!

archive

log config

  hidekeys

!

ip ssh version 2

!

bridge irb

!

interface ATM0

no ip address

no ip route-cache cef

no ip route-cache

load-interval 30

no atm ilmi-keepalive

pvc 8/35

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

dsl operating-mode auto

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Dot11Radio0

no ip address

!

encryption mode ciphers tkip

!

ssid XXXXgoona

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

no cdp enable

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface Vlan1

description Ramtech LAN Interface

no ip address

bridge-group 1

bridge-group 1 spanning-disabled

!

interface Dialer0

description Ramtech Westnet

ip address negotiated

ip access-group Internet_Inbound in

no ip redirects

no ip unreachables

no ip proxy-arp

ip inspect Inspect_Out out

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap callin

ppp chap hostname XXXXgoo10@direct.telstra.net

ppp chap password 7 xxxx

!

interface BVI1

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip dns server

ip nat source static tcp 192.168.x.x 25 interface Dialer0 25

ip nat source static tcp 192.168.x.x 443 interface Dialer0 443

ip nat source static tcp 192.168.x.x 987 interface Dialer0 987

ip nat source static tcp 192.168.x.x 3389 interface Dialer0 3389

ip nat inside source list Allow_NAT interface Dialer0 overload

!

ip access-list standard Allow_LAN_Access

permit 192.168.1.0 0.0.0.255

ip access-list standard Allow_NAT

permit 192.168.1.0 0.0.0.255

ip access-list standard Allow_Quiet_Mode

remark IPs allowed during quietmode lockdown

permit 192.168.1.0 0.0.0.255

!

ip access-list extended Internet_Inbound

remark --- Anyone is allowed SMTP to the server

permit tcp any host 110.142.x.x eq smtp

permit tcp any host 110.142.x.x eq 443 log

permit tcp any host 110.142.x.x eq 987 log

permit tcp any host 110.142.x.x eq 1723 log

permit gre any any log

permit tcp host 202.173.x.x host 110.142.x.x eq 22 log

permit tcp host 202.173.x.x host 110.142.x.x eq 3389

!

logging trap debugging

dialer-list 1 protocol ip permit

no cdp run

!

control-plane

!

bridge 1 route ip

alias exec tl0 terminal length 0

alias exec ps show process cpu

alias exec top show process cpu sort 5m | excl (0.00%  0.00%  0.00%)

alias exec version show version | include image

alias exec uptime show version | include uptime|ROM[^:]|restarted

alias exec hist show process cpu history

alias exec dsl show dsl interface atm0 | include DSL[^:]|dB|Activat|LED|Speed

!

line con 0

no modem enable

transport preferred none

transport output all

line aux 0

transport output all

line vty 0 2

exec-timeout 20 0

privilege level 15

transport preferred none

transport input telnet

line vty 3 4

exec-timeout 20 0

privilege level 15

transport preferred none

transport input ssh

transport output all

!

scheduler max-task-time 5000

sntp server 202.173.x.x

sntp server 128.250.x.x

sntp server 202.72.x.x

Labels:
0 Helpful
7 Replies 7

Leo Laohoo
Hall of Fame
Hall of Fame

‎06-20-2011 09:19 PM

Remove inspection.

0 Helpful

ramtech.computing
Level 1
Level 1
In response to Leo Laohoo

‎06-20-2011 09:24 PM

Thanks for the reply,

As per original post, when I do that, all NAT traffic stops.  what else do i need to do?

Do i have to change the below line some how?

ip nat inside source list Allow_NAT interface Dialer0 overload

0 Helpful

Rozsa Illes
Cisco Employee
Cisco Employee
In response to ramtech.computing

‎06-21-2011 01:19 AM

Hi,

If you only remove inspection, you will still have the inbound ACL on Dialer which will drop most traffic. With inspection, traffic initiated from the inside will be let through like this.

If you decide to remove inspection, you need to modify the ACL: Internet_Inbound to allow traffic.

Warm Regards,

Rose

0 Helpful

ramtech.computing
Level 1
Level 1
In response to Rozsa Illes

‎06-21-2011 04:25 PM

Thanks Rose,

I know I sound dumb here but I still don't understand what I need to change on the internet inbound acl to allow nat traffic to get back in.  An example or sample ACL would be apprecaited if it were available.

0 Helpful

Rozsa Illes
Cisco Employee
Cisco Employee
In response to ramtech.computing

‎06-22-2011 02:38 AM

Hi,

It is a bit more complicated as it depends on what kind of traffic you would like to let through and you probably know this better.

Currently we have:

ip access-list extended Internet_Inbound

remark --- Anyone is allowed SMTP to the server

permit tcp any host 110.142.x.x eq smtp

permit tcp any host 110.142.x.x eq 443 log

permit tcp any host 110.142.x.x eq 987 log

permit tcp any host 110.142.x.x eq 1723 log

permit gre any any log

permit tcp host 202.173.x.x host 110.142.x.x eq 22 log

permit tcp host 202.173.x.x host 110.142.x.x eq 3389

For example, if you want to add HTTP traffic (external HTTP server), we would need to add:

permit tcp any eq 80 host

or

permit tcp any eq 80 any (this would let any HTTP traffic through though)

Warm Regards,

Rose

0 Helpful

ramtech.computing
Level 1
Level 1

‎06-26-2011 02:50 PM

Thanks Rose.

I obviously am explaining this poorly. What I was trying to establish is how get rid of CBAC whilst maintaining an ingress ACL. But I think I have that figured now. Sorry for the confusion.

Sent from Cisco Technical Support iPhone App

0 Helpful

Rozsa Illes
Cisco Employee
Cisco Employee
In response to ramtech.computing

‎06-27-2011 02:06 AM

Hi,

I am glad to hear that it got sorted out and sorry for the confusion on my part as well.

If everything is fine, it might be better to mark the thread as "answered" so others are aware of it too.

Cheers,

Rose

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card